(CVE-2015-0810) Mozilla Firefox for Mac OS X : Cursor can be totally invisible using a flash object which renders the cursor invisible on it and the JavaScript function "Alert()" on another tab previously opened.

RESOLVED DUPLICATE of bug 1125013

Status

()

Core
Plug-ins
RESOLVED DUPLICATE of bug 1125013
4 years ago
2 years ago

People

(Reporter: Jordi Chancel, Unassigned)

Tracking

({csectype-spoof, sec-moderate, testcase})

35 Branch
x86
Mac OS X
csectype-spoof, sec-moderate, testcase
Points:
---
Dependency tree / graph
Bug Flags:
sec-bounty -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: (TESTCASE2 have better severity - Read comment13))

Attachments

(2 attachments, 2 obsolete attachments)

(Reporter)

Description

4 years ago
Created attachment 8549395 [details]
TestCase1.zip

User Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:35.0) Gecko/20100101 Firefox/35.0
Build ID: 20150108202552

Steps to reproduce:

This vulnerability is similar to Bug 995603 .

I think this works only on Mac OS X.

steps :
-1 : Go to the testcase (1.htm), and click on the "clickme" link (a new tab will be opened).
-2 : Now you are on the new tab opened(2.htm) and must click on the "Step2 :ClickMe" button.
-3 : Move the cursor into the webpage and wait a few seconds.
-4 : A JavaScript function "Alert()" will redirect you on the previous tab (1.htm) .



Actual results:

The Cursor is now totally invisible.



Expected results:

You can use this vulnerability for install a xpi or make a clickjacking/cursorjacking or others spoofing attack on what you want.
(Reporter)

Comment 1

4 years ago
Created attachment 8549432 [details]
Video Example MAC OS X.html

You can look this video for understand how this vulnerability works . :-)
Thanks Jordi. I can see the cursor get hidden. It appears very similar to bug 1009169, but is more reliable. I am not convinced that this alone constitutes an exploit, as you still have to convince the user to click where you want them to. However, I have reproduced the behavior.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: csectype-spoof, sec-low
(Reporter)

Comment 3

4 years ago
this vulnerability isn't low ,we can make exactly the same attack as bug 995603.

Do you want a demonstration ?
Comment hidden (off-topic)
Comment hidden (off-topic)
The first bug had a better proof of concept and appeared to be more reliable in getting the user to click somewhere predictable.

This bug hides the cursor, but no one who has tried it was successfully clickjacked. So, without an example that is shown to likely to harm people, it's not going to be rated as high.
Flags: needinfo?(mwobensmith)
Comment hidden (off-topic)
(Reporter)

Comment 8

4 years ago
Created attachment 8555736 [details]
TESTCASE2 (severity demo).zip

This TESTCASE demonstrates the possible severity of this vulnerability , in this demonstration of a clickJacking attack, it's possible to render invisible the cursor for : 
use a combination with an image of the cursor manipulated through JavaScript leading to a clickjacking attack during interactions with HTML content subsequently.


With this flaw it's possible to execute an Addon (.XPI).

It's possible to make others ClickJacking/CursorJacking attacks (more or less severe than this demonstration)
Attachment #8549395 - Attachment is obsolete: true
(Reporter)

Updated

4 years ago
Attachment #8555736 - Attachment filename: TESTCASE1 ClickJacking using flash and a redirect to a previous tab.zip → TESTCASE2 (severity demo).zip
(Reporter)

Updated

4 years ago
Attachment #8555736 - Attachment description: TESTCASE1 ClickJacking using flash and a redirect to a previous tab.zip → TESTCASE2 (severity demo).zip
(Reporter)

Updated

4 years ago
Keywords: sec-low
(Reporter)

Comment 9

4 years ago
I have uploaded the TESTCASE2.zip which demonstrates the possible severity of this vulnerability , in this demonstration of a clickJacking attack, it's possible to render invisible the cursor for : 
use a combination with an image of the cursor manipulated through JavaScript leading to a clickjacking attack during interactions with HTML content subsequently.


With this flaw it's possible to execute an Addon (.XPI).

It's possible to make others ClickJacking/CursorJacking attacks (more or less severe than this demonstration)
(Reporter)

Comment 10

4 years ago
Created attachment 8557578 [details]
Video-Example-(severity demo)on_Mac_OS_X.html

I have uploaded a new testcase which demonstrate the severity of this vulnerability and i have uploaded a video too which demonstrate the severity and user interraction needed for this vulnerability.
---

This TESTCASE demonstrates the possible severity of this vulnerability , in this demonstration of a clickJacking attack, it's possible to render invisible the cursor for : 
use a combination with an image of the cursor manipulated through JavaScript leading to a clickjacking attack during interactions with HTML content subsequently.

With this flaw it's possible to execute an Addon (.XPI).

---

It's possible to make others ClickJacking/CursorJacking attacks (more or less severe than this demonstration).
---

I assume than this flaw require more minimal user interraction than Bug995603 and bug Bug1125013 But it's not possible that this bug is only sec-low , i'm sure than this bug is sec-moderate at worst or sec-high (like i think surely). the impact is exactly the same as bug995603 (but with more minimal user interaction) . i wanna too that you look https://bugzilla.mozilla.org/show_bug.cgi?id=1125013 which is exactly the same vulnerability with the same severity and user interaction as Bug995603 (so, this bug must be defined like sec-high).

Thank tou very much for you quick answer.
Attachment #8549432 - Attachment is obsolete: true
Flags: needinfo?(abillings)

Updated

4 years ago
Flags: needinfo?(abillings)
(Reporter)

Updated

4 years ago
Whiteboard: sec-moderate or sec-high?
(Reporter)

Updated

4 years ago
Blocks: 995603
(Reporter)

Updated

4 years ago
Keywords: testcase
(Reporter)

Comment 11

4 years ago
The test case that i have uploaded requires too much steps or unlikely steps, but i can code a better proof of concept which will render a better severity of this vulnerability with less steps and better likely steps for the vulnerability demonstration, please let me the time to code a better proof of concept for this vulnerability and you will define better the real severity of this security bug (for me the gravity which is the less severe is "sec-moderate" and the gravity which is the more elevated is "sec-high") .

PS: this vulnerability have the same impact than the bug995603 reported , i must just code a better testcase for render the same severityin this bug. the better Proof Of Concept will be coded and uploaded soon as possible.
(Reporter)

Updated

4 years ago
Whiteboard: sec-moderate or sec-high? → (TESTCASE2 demonstrates a better severity) sec-moderate or sec-high?
Comment hidden (off-topic)
(Reporter)

Comment 13

4 years ago
Can you define the severity using the new TESTCASE (TestCase2.zip) ?

TESTCASE2.ZIP demonstrates that we can intall XPI addon using invisible cursor with low user interaction.
Flags: needinfo?(mwobensmith)
(Reporter)

Updated

4 years ago
Whiteboard: (TESTCASE2 demonstrates a better severity) sec-moderate or sec-high? → (TESTCASE2 have better severity - Read comment13) sec-moderate or sec-high?
Comment hidden (off-topic)
Comment hidden (off-topic)

Updated

4 years ago
Component: Untriaged → Plug-ins
Comment hidden (off-topic)
Comment hidden (off-topic)
Comment hidden (off-topic)
Comment hidden (off-topic)

Updated

3 years ago
Flags: needinfo?(spohl.mozilla.bugs)
Flags: needinfo?(benjamin)
Comment hidden (off-topic)

Updated

3 years ago
Flags: needinfo?(benjamin)
Jordi: please don't harass the developers in the bug with off-topic conversations. Stuff about bounties and security ratings should be sent to the security alias, keep the bug focused on fixing the problem (e.g adding testcases and explanations are great, thanks for testcase2).
Flags: needinfo?(jruderman) → sec-bounty?
Attachment #8555736 - Attachment mime type: application/zip → application/java-archive
The cursor no longer goes invisible for me, also "fixed" by bug 1121811 on trunk? Is there any reason to believe the underlying bad interaction between Flash and Firefox on Mac is a different one from bug 1125013?
Keywords: sec-moderate
(Reporter)

Comment 24

3 years ago
this bug is fixed by Bug 1125013

RESOLVED/FIXED for me.

Updated

3 years ago
Status: NEW → RESOLVED
Last Resolved: 3 years ago
Flags: sec-bounty? → sec-bounty-
Resolution: --- → DUPLICATE
Whiteboard: (TESTCASE2 have better severity - Read comment13) sec-moderate or sec-high? → (TESTCASE2 have better severity - Read comment13)
Duplicate of bug: 1125013
(Reporter)

Updated

3 years ago
Alias: (CVE-2015-0810)
Summary: Mozilla Firefox for Mac OS X : Cursor can be totally invisible using a flash object which renders the cursor invisible on it and the JavaScript function "Alert()" on another tab previously opened. → (CVE-2015-0810) Mozilla Firefox for Mac OS X : Cursor can be totally invisible using a flash object which renders the cursor invisible on it and the JavaScript function "Alert()" on another tab previously opened.
(Reporter)

Updated

3 years ago
Alias: (CVE-2015-0810)

Updated

3 years ago
Group: core-security → core-security-release
Blocks: 1158439
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.